Abstract
We provide a generic construction to turn any classical Zero-Knowledge (ZK) protocol into a composable (quantum) oblivious transfer (OT) protocol, mostly lifting the round-complexity properties and security guarantees (plain-model/statistical security/unstructured functions\(\ldots \)) of the ZK protocol to the resulting OT protocol. Such a construction is unlikely to exist classically as Cryptomania is believed to be different from Minicrypt.
In particular, by instantiating our construction using Non-Interactive ZK (NIZK), we provide the first round-optimal (2-message) quantum OT protocol secure in the random oracle model, and round-optimal extensions to string and k-out-of-n OT.
At the heart of our construction lies a new method that allows us to prove properties on a received quantum state without revealing additional information on it, even in a non-interactive way and/or with statistical guarantees when using an appropriate classical ZK protocol. We can notably prove that a state has been partially measured (with arbitrary constraints on the set of measured qubits), without revealing any additional information on this set. This notion can be seen as an analog of ZK to quantum states, and we expect it to be of independent interest as it extends complexity theory to quantum languages, as illustrated by the two new complexity classes we introduce, ZKstatesQIP and ZKstatesQMA.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Our protocol requires the use of a hash function h: since we need to prove statements on preimages of h in a ZK protocol, this makes our protocol non-black-box with respect to h since the circuit of h must be known to the verifier. Therefore, even if the assumptions on h (collision-resistant and hiding) are trivially true if h is modelled as a random oracle, we cannot directly run the ZK protocol on an oracle since the source code of h cannot efficiently be sent to the verifier. For this reason, we do not model h itself as an oracle (this assumption is required by the ZK protocol), and only assume that h is collision-resistant and hiding.
- 2.
Informally, a hiding function h is a function such that it is not possible to get any information on x given \(h(x\Vert r)\) for sufficiently large random r (this is used for instance in commitments). Actually, we use in practice a weaker assumption called “second-bit hardcore” (the function must only hide the second bit of x), since we believe that we could use the hardcore-bit construction of Goldreich-Levin to weaken the assumptions further by only assuming that the function is one-way.
- 3.
This holds for all variations of OT: bit OT, string OT, and k-out-of-n OT.
- 4.
The model of security is the same as the ZK protocol if we want a \(n+2\)-message protocol, and if we add the Common (uniform) Reference String assumption (weaker than the Random Oracle model) to provide the hash function, we can obtain a protocol with \(n+1\) messages.
- 5.
Our approach also works for strings or k-out-of-n OT.
- 6.
In practice, we ask for h to be “second-bit hardcore”, meaning that it is not possible to learn the second bit of x given h(x), but we could also certainly extend the construction to work for any one-way function using the Goldreich-Levin construction and rejection sampling.
- 7.
For instance, you can think of \(\omega \) as the basis of \(\rho \), and \(\omega _s\) as the bits encoded in these basis.
- 8.
Note that in the formal definitions, we actually formalize them using the more general notion of simulators for various reasons, to be compatible with simulation-based proofs, but also since quantumly it is not possible to physically check if a state belongs to a set, since some distributions of quantum states are different but still indistinguishable.
- 9.
If the security holds against a set of unbounded parties S, we denote it as \(\texttt {CS}_{s}{} \texttt {-QSA}\).
- 10.
This predicate might depend on a secret witness w known only to the prover, in which case we always replace \({{\,\textrm{Pred}\,}}(\cdots )\) with \({{\,\textrm{Pred}\,}}(w,\cdots )\), w being sent to the ideal functionalities and used in the ZK proofs. For simplicity, we will omit the witness from now.
- 11.
Only Bob can sample the function as collision resistance must hold against Alice and a malicious Alice could cheat when generating the function.
- 12.
As a reminder, this protocol is sampling and distributing a function h according to \( \texttt{Gen} \), and can either be done without communication in the CRS model (or heuristically if we replace h with a well known collision-resistant hash function), or with one message in the plain model.
- 13.
Sometimes, we will write \((\textsf{P},\textbf{Z})\) instead of \(\textsf{P}\) to denote a more precise cut between the two sub-registers owned by the prover and the environment.
- 14.
Contrary to \(\mathcal {L}_\mathcal {Q}\) that must represent all states potentially obtainable by a malicious party (hence the need of a second register), here \(\mathcal {L}_\omega \) are only used to denote the states obtainable by honest parties, and can therefore often be seen as a set of states on a single register owned by the verifier. The reason we define it as a bipartite state here is that we might later be interested by the generation of truly bipartite states like graph states.
- 15.
Note that classically, we can see a witness in two different ways: it can be used to efficiently verify that \(x \in \mathcal {L}\), but more abstractly it can be seen as a way to partition \(\mathcal {L}\) into multiple \(\mathcal {L}_w\)’s: in an honest setting, given w, we expect to have \(x \in \mathcal {L}_w\), where \(\mathcal {L}_w = \{x \mid x \mathcal {R}w\}\). Quantumly, we will use this second point of view, as given \(\omega \) (the quantum equivalent of w) we expect in an honest setting to have \(\rho \in \mathcal {L}_\omega \), even if \(\omega \) cannot be used directly to verify that property once \(\rho \) is generated because of the laws of physics.
- 16.
\(\mathcal {L}_\mathcal {Q}\) represents informally the set of states that any malicious party can generate, where the first register is the output of the verifier and the second register corresponds to registers potentially controlled by an adversary. Since only \(\mathcal {L}_\mathcal {Q}\) is needed to characterize the security of a protocol, it is sometimes called directly the quantum language.
- 17.
Of course by still measuring the classical transcript to send to the verifier.
- 18.
\(\rho ^\textsf{P}\) will actually not be necessary in our main application, but we still include it in case it turns out to be useful in future applications.
- 19.
They are the most generic way to represent a measurement.
- 20.
Informally, \(f_0\) is used to filter some information on the measurement outcome m during an honest protocol.
- 21.
Informally this register contains the subset of qubits in the second register to measure and a (typically random) sequence of Z rotations to apply on the remaining qubits. Since the first operation of M is to measure them, we can (and will) also consider them as classical inputs.
- 22.
Note that this sequence of rotations in only needed for correctness as in the real protocol the non-measured qubits will be arbitrarily rotated.
- 23.
As a reminder, this protocol is sampling and distributing a function h according to \( \texttt{Gen} \), and can either be done without communication in the CRS model (or heuristically if we replace h with a well known collision-resistant hash function), or with one message in the plain model.
- 24.
\(\mathcal {F}^{\text {Pred}}_{\textsf{SemCol}}\) can be used for any input quantum state, but for the ZKoQS we need to consider a particular case where the initial state is picked by the party instead of by the environment. The reason is that in ZKoQS protocols, an honest prover is only given as input a class.
References
Agarwal, A., Bartusek, J., Khurana, D., Kumar, N.: A new framework for quantum oblivious transfer. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14004, pp. 363–394. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-30545-0_13
Ananth, P., La Placa, R.L.: Secure quantum extraction protocols. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 123–152. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_5
Bennett, C.H., Brassard, G., Crépeau, C., Skubiszewska, M.-H.: Practical quantum oblivious transfer. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 351–366. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_29
Bartusek, J., Coladangelo, A., Khurana, D., Ma, F.: One-way functions imply secure computation in a quantum world. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 467–496. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_17
Brakerski, Z., Döttling, N.: Two-message statistically sender-private OT from LWE. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 370–390. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_14
Bouman, N.J., Fehr, S.: Sampling in a quantum population, and applications. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 724–741. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_39
Bartusek, J., Khurana, D., Srinivasan, A.: Secure Computation with Shared EPR Pairs (Or: How to Teleport in Zero-Knowledge) (2023)
Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, STOC 2020, pp. 269–279, New York, NY, USA. Association for Computing Machinery, 22 June 2020
Colisson, L., Grosshans, F., Kashefi, E.: Non-destructive Zero-Knowledge Proofs on Quantum States, and Multi-Party Generation of Authorized Hidden GHZ States, 10 April 2021
Crépeau, C., Gottesman, D., Smith, A.: Secure multi-party quantum computation. In: Proceedings of the Thiry-Fourth Annual ACM Symposium on Theory of Computing, STOC ’02, pp. 643–652. Association for Computing Machinery, New York, NY, USA, 19 May 2002
Crepeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions. In: [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science. [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science, pp. 42–52, October 1988
Colisson, L., Muguruza, G., Speelman, F.: Oblivious transfer from zero- knowledge proofs, or how to achieve round-optimal quantum oblivious transfer and zero-knowledge proofs on quantum states. In: ASIACRYPT 2023, 2 March 2023 (2023)
Damgård, I., Fehr, S., Lunemann, C., Salvail, L., Schaffner, C.: Improving the security of quantum protocols via commit-and-open. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 408–427. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_24
Dunjko, V., Fitzsimons, J.F., Portmann, C., Renner, R.: Composable security of delegated quantum computation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 406–425. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_22
Dulek, Y., Grilo, A.B., Jeffery, S., Majenz, C., Schaffner, C.: Secure multi-party quantum computation with a dishonest majority. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 729–758. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_25
Dupuis, F., Nielsen, J.B., Salvail, L.: Actively secure two-party evaluation of any quantum operation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 794–811. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_46
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)
ELECTRIC COIN COMPANY: Zcash: privacy-protecting digital currency. Zcash. URL: https://z.cash/. Visited 02 Oct 2023
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, STOC ’89, pp. 25–32, New York, NY, USA. Association for Computing Machinery, 1 February 1989
Grilo, A.B., Lin, H., Song, F., Vaikuntanathan, V.: Oblivious transfer is in MiniQCrypt. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 531–561. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_18
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC ’85, pp. 291–304. Association for Computing Machinery, New York, NY, USA, 1 December 1985
Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, STOC ’87, pp. 218–229. Association for Computing Machinery, New York, NY, USA, 1 January 1987
Hallgren, S., Smith, A., Song, F.: Classical cryptographic protocols in a quantum world. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 411–428. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_23
Impagliazzo, R.: A personal view of average-case complexity. In: Tenth Annual IEEE Conference on Proceedings of Structure in Complexity Theory, pp. 134–147, June 1995
Ji, Z., Liu, Y.-K., Song, F.: Pseudorandom quantum states. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 126–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_5
Kashefi, E., Alves, C.M.: On the complexity of quantum languages, 12 April 2004
Kilian, J.: Founding crytpography on oblivious transfer. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, pp. 20–31. Association for Computing Machinery, New York, NY, USA, 1 January 1988
Kapourniotis, T., Kashefi, E., Leichtle, D., Music, L., Ollivier, H.: Asymmetric quantum secure multi-party computation with weak clients against dishonest majority, 15 March 2023
Kashefi, E., Pappa, A.: Multiparty delegated quantum computing. Cryptography 1(2), 12 (2017)
Lindell, Y.: A note on constant-round zero-knowledge proofs of knowledge. J. Cryptol. 26(4), 638–654 (2013)
Lombardi, A., Ma, F., Spooner, N.: Post-quantum Zero Knowledge, Revisited (Or: How to Do Quantum Rewinding Undetectably), 23 November 2021
Lo, H.-K.: Insecurity of quantum secure computations. Phys. Rev. A 56(2), 1154–1162 (1997)
Laud, P., Talviste, R.: Review of the State of the art in secure multiparty computation. In: Cybernetica As (2022)
Mayers, D., Salvail, L.: Quantum oblivious transfer is secure against all individual measurements. In: Proceedings Workshop on Physics and Computation. PhysComp ’94. Proceedings Workshop on Physics and Computation. PhysComp ’94, pp. 69–77, November 1994
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, December 2010
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Quach, W.: UC-secure OT from LWE, revisited. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 192–211. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_10
Rabin, M.O.: How to exchange secrets with oblivious transfer (2005)
Rosenthal, G., Yuen, H.: Interactive proofs for synthesizing quantum states and unitaries. In: Braverman, M. (ed.) 13th Innovations in Theoretical Computer Science Conference, ITCS 2022, 31 January–3 February 2022, Berkeley, CA, USA of LIPIcs, vol. 215, pp. 112:1–112:4. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2022)
Santos, M.B., Mateus, P., Pinto, A.N.: Quantum oblivious transfer: a short review. Entropy 24(7), 945 (2022)
Unruh, D.: Universally composable quantum multi-party computation. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 486–505. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_25
Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10
Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Watrous, J.: Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)
Wiesner, S.: Conjugate coding. ACM SIGACT News 15(1), 78–88 (1983)
Wolf, S., Wullschleger, J.: Oblivious transfer is symmetric. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 222–232. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_14
Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science (SFCS 1982), pp. 160–164, November 1982
Yao, A.C.-C.: Security of quantum protocols against coherent measurements. In: Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC ’95, pp. 67–75. Association for Computing Machinery, New York, NY, USA, 29 May 1995
Acknowledgment
The authors deeply thank Christian Schaffner for many insightful exchanges, together with Stacey Jeffery, Geoffroy Couteau and James Bartusek for precious discussions, and anonymous reviewers for many helpful comments and for pointing a mistake (now corrected) in a proof that generalizes our first result. This work is co-funded by the European Union (ERC, ASC-Q, 101040624) and supported by the Dutch National Growth Fund (NGF), as part of the Quantum Delta NL programme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Colisson, L., Muguruza, G., Speelman, F. (2023). Oblivious Transfer from Zero-Knowledge Proofs. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14445. Springer, Singapore. https://doi.org/10.1007/978-981-99-8742-9_1
Download citation
DOI: https://doi.org/10.1007/978-981-99-8742-9_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8741-2
Online ISBN: 978-981-99-8742-9
eBook Packages: Computer ScienceComputer Science (R0)